This analytic rule detects the execution of the 'chown' command in Linux, specifically when it is used to change the ownership of a file or directory to 'root'. The rule utilizes Sysmon telemetry, monitoring command-line activities and process details, which are indicative of privilege escalation attempts by an attacker, malware, or red teaming activities. It analyzes processes launched with the 'chown' command and ensures that the desired condition (ownership change to 'root') is met. Detecting such actions is crucial as they can enable adversaries to gain root access, compromising the entire system. The implementation requires integrating with EDR agents that provide necessary logging, ensuring that relevant data is collected and processed according to the Splunk Common Information Model (CIM). Upon detecting a command that meets these criteria, further investigation is warranted to determine the legitimacy of the action.